CVE-2022-25813
N/A
N/A
Summary
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache OFBiz | Apache OFBiz <= 18.12.05 | affected |
Weaknesses
- CWE-1336: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/vmj5s0qb59t0lvzf3vol3z1sc3sgyb2b
- http://www.openwall.com/lists/oss-security/2022/09/02/4
References
- https://lists.apache.org/thread/vmj5s0qb59t0lvzf3vol3z1sc3sgyb2b
- http://www.openwall.com/lists/oss-security/2022/09/02/4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.